def passive_record_to_view(rec, category=None): """Return a passive entry in the View format. Note that this entry is likely to have no sense in itself. This function is intended to be used to format results for the merge function. """ rec = dict(rec) if not rec.get("addr"): return None outrec = { "addr": rec["addr"], "state_reason": "passive", "schema_version": ACTIVE_SCHEMA_VERSION, } # a DNS_ANSWER record is not enough to mark a host as up if rec["recontype"] != "DNS_ANSWER": outrec["state"] = "up" sensor = rec.get("sensor") if sensor: outrec["source"] = [sensor] # This (using "lastseen" from the passive record as both "starttime" and # "endtime" in the view record) might be surprising **but** it makes sense # when you think about it: it avoids having a scan record with # exceptionally long "scan durations" try: outrec["starttime"] = outrec["endtime"] = datetime.fromtimestamp( rec["lastseen"] ) except TypeError: outrec["starttime"] = outrec["endtime"] = rec["lastseen"] function = _EXTRACTORS.get(rec["recontype"], lambda _: {}) if isinstance(function, dict): function = function.get(rec["source"], lambda _: {}) outrec.update(function(rec)) set_auto_tags(outrec, update_openports=False) set_openports_attribute(outrec) if category is not None: outrec["categories"] = [category] return outrec
def passive_record_to_view(rec, category=None): """Return a passive entry in the View format. Note that this entry is likely to have no sense in itself. This function is intended to be used to format results for the merge function. """ rec = dict(rec) if not rec.get("addr"): return None outrec = { "addr": rec["addr"], "state_reason": "passive", "schema_version": ACTIVE_SCHEMA_VERSION, } # a DNS_ANSWER record is not enough to mark a host as up if rec["recontype"] != "DNS_ANSWER": outrec["state"] = "up" sensor = rec.get("sensor") if sensor: outrec["source"] = [sensor] try: outrec["starttime"] = datetime.fromtimestamp(rec["firstseen"]) outrec["endtime"] = datetime.fromtimestamp(rec["lastseen"]) except TypeError: outrec["starttime"] = rec["firstseen"] outrec["endtime"] = rec["lastseen"] function = _EXTRACTORS.get(rec["recontype"], lambda _: {}) if isinstance(function, dict): function = function.get(rec["source"], lambda _: {}) outrec.update(function(rec)) set_openports_attribute(outrec) if category is not None: outrec["categories"] = [category] return outrec
def passive_record_to_view(rec, category=None): """Return a passive entry in the View format. Note that this entry is likely to have no sense in itself. This function is intended to be used to format results for the merge function. """ rec = dict(rec) if not rec.get('addr'): return None outrec = { 'addr': rec["addr"], 'state_reason': 'passive', 'schema_version': ACTIVE_SCHEMA_VERSION, } # a DNS_ANSWER record is not enough to mark a host as up if rec['recontype'] != 'DNS_ANSWER': outrec['state'] = 'up' sensor = rec.get('sensor') if sensor: outrec['source'] = [sensor] try: outrec['starttime'] = datetime.fromtimestamp(rec["firstseen"]) outrec['endtime'] = datetime.fromtimestamp(rec["lastseen"]) except TypeError: outrec['starttime'] = rec['firstseen'] outrec['endtime'] = rec['lastseen'] function = _EXTRACTORS.get(rec['recontype'], lambda _: {}) if isinstance(function, dict): function = function.get(rec['source'], lambda _: {}) outrec.update(function(rec)) set_openports_attribute(outrec) if category is not None: outrec['categories'] = [category] return outrec